Review - H 3490 Introduced – Smart Water Technology

Last month, Rep Gallego (D,AZ) introduced HR 3490, the Water Infrastructure Modernization Act of 2023. The bill would help upgrade and modernize the drinking water, wastewater, and stormwater systems of the United States and encourage the use of water-efficient technologies to address drought and prepare for the growing strain that population growth and climate change will have on over-allocated water supplies. The bill would authorize $50 million in funding through 2028 to support the programs outlined in the legislation.

The bill is similar in intent to HR 6088 (removed from paywall) which was introduced last session by Gallego. No action was taken in the 117^th Congress on that bill. This current bill is a complete rewrite of the earlier legislation.

Moving Forward

While Gallego is not a member of the House Transportation and Infrastructure Committee to which this bill was assigned for primary consideration, his sole cosponsor {Rep Duarte (R,CA)} is a member. This means that there may be sufficient influence to see the bill considered in Committee. This is a significant change from the potential for the consideration for HR 6088 in the last session. There will be little organized opposition to the technology supported by this bill, the $50 million (congressional small change) in authorizations are going to cause problems in an environment where the unofficial leadership of the House is trying to drastically cut spending. I will be surprised if this is taken up in Committee and do not expect this bill to come to the floor of the House.

Commentary

As with the earlier bill, there is no mention of protecting all of the smart technology being touted in the bill by cybersecurity measures. With the relatively small amount of money going to these grants, managers are going to try to pack as much tech as possible into their spending, so cybersecurity addons are going to be short shifted. In my post on HR 6088 I suggested cybersecurity language that could be added for the drinking water portion of the bill. I think that language is still appropriate.

 

For more details about the provisions of the proposed legislation, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/h-3490-introduced - subscription required.

Bills Introduced – 5-18-23

Yesterday, with both the House and Senate in session, there were 203 bills introduced. Two of those bills may receive additional attention in this blog:

HR 3459 To amend title 49, United States Code, to establish certain rules relating to unmanned aircraft systems and operations, and for other purposes. Yakym, Rudy [Rep.-R-IN-2] 

HR 3490 To amend the Federal Water Pollution Control Act and the Safe Drinking Water Act to authorize grants for smart water infrastructure technology, and for other purposes. Gallego, Ruben [Rep.-D-AZ-3]

I will be watching HR 3459 for language and definitions that would allow for protection of critical infrastructure from unauthorized overflights by UAS. I am not hopeful.

I will be watching HR 3490 for language and definitions that would include cybersecurity requirements within the scope of the legislation. Again, I am not hopeful.

Mention in Passing

There are two other bills that readers might be interested in that I would like to mention in passing. They will not be covered in this blog:

HR 3547 To require the Department of Homeland Security to develop and disseminate a threat assessment regarding the use of cyber harassment, including doxing, by terrorists and foreign malicious actors, and for other purposes. Wasserman Schultz, Debbie [Rep.-D-FL-25]

S 1671 A bill to establish a new Federal body to provide reasonable oversight and regulation of digital platforms. Bennet, Michael F. [Sen.-D-CO]

HR 3490 Passes in House

This afternoon the House passed HR 3490, the Strengthening State and Local Cyber Crime Fighting Act, by a voice vote after only 14 minutes of debate. The bill will proceed to the Senate where, if it is considered, it will likely be under their unanimous consent process with even less debate.

The bill and the National Computer Forensics Institute both continue to ignore potential issues with forensics investigations of attacks on industrial control systems. If the Senate Homeland Security and Governmental Affairs Committee does take up consideration of this bill (probably unlikely) it would be nice to see some sort of language encouraging the development of forensics capability for ICS attacks before they become necessary.

Homeland Security Committee Marks-Up Multiple Bills

Last Wednesday the House Homeland Security Committee held a markup hearing that dealt with a large number of bills. As I mentioned in an earlier post some of those bills will be of specific interest to readers of this blog. Those include:

HR 3350, the Know the CBRN Terrorism Threats to Transportation Act;

HR 3490, the Strengthening State and Local Cyber Crime Fighting Act;

HR 3503, the Department of Homeland Security Support to Fusion Centers Act of 2015;

HR 3510, the Department of Homeland Security Cybersecurity Strategy Act of 2015;

HR 3573, the DHS Science and Technology Reform and Improvement Act of 2015;

HR 3583, the Promoting Resilience and Efficiency in Preparing for Attacks and Responding to Emergencies (PREPARE) Act;

HR 3586, the Border and Maritime Coordination Improvement Act; and

HR 3584, the Transportation Security Administration Reform and Improvement Act of 2015.

HR 3350 was adopted without amendments on a voice vote.

HR 3490

HR 3490 was amended and adopted by a voice vote. Rep. Ratcliffe (R,TX) proposed substitute language reflecting the changes made to the bill in a Subcommittee markup which was adopted by a voice vote. Two amendments were offered by Rep. Jackson-Lee (D,TX). The first dealt with chain-of-custody training. The second dealt reaffirmed the supremacy of the fourth and fifth amendments with respect to the provisions of this bill. Both amendments were adopted by voice vote.

HR 3503

HR 3503 was amended and adopted by a voice vote. Two amendments were introduced by Rep. Loudermilk (R,GA). The first dealt with a requirement for DHS to conduct an assessment for accessibility and interoperability of the information systems used to share homeland security information between the Department and fusion centers. The second required DHS to enter into a memorandum of understanding about what types of information fusion centers would share with DHS. Both amendments were adopted by voice vote.

HR 3510

HR 3510 was amended and adopted by a voice vote. Rep. Clawson (R,FL) introduced one amendment which dealt with privacy concerns. That amendment was adopted by a voice vote.

HR 3578

HR 3578 was amended and adopted by a voice vote. Eight amendments, including alternative language offered by Rep. Ratcliffe, were offered and all were adopted on voice votes. The alternative language made no substantive changes of particular interest to readers of this blog. Of the remaining seven amendments only one of specific.

That amendment by Rep. Langevin (D,RI) that modifies the new §322 the bill adds to the Homeland Security Act of 2002. That section addressed cybersecurity R&D and this amendment adds a new activity to be addressed by DHS S&T; “support, in coordination with the private sector, the review of source code that underpins critical infrastructure information systems” {new §322(b)(4)}.

HR 3583

This bill was amended and adopted by a voice vote. Of the seven amendments offered and adopted only one would be of specific interest to readers of this blog. It was offered by Rep. Payne (D,NJ), the Ranking Member of the Committee.

The amendment modifies 6 USC 321e(c)(1); adding a new duty to job of Department Chief Medical Officer. That new requirement is specifically requiring the provision of advice on “how to prepare for, protect against, respond to, recover from, and mitigate against the medical effects of terrorist attacks or other high consequent events utilizing chemical, biological, radiological, or nuclear agents or explosives”. This wording still limits that advice to ‘chemical agents’ so it would not include advice on response to industrial chemical incidents unless they were used as part of a terrorist attack.

HR 3586

The bill was amended and adopted by a voice vote. Rep. Miller (R,MI) offered an amendment in the form of a substitute. That substitute language softened much of the language in the bill but did not make any substantive changes of particular interest to readers of this blog. None of the other ten amendments that were adopted on this bill were of specific interest to readers of this blog.

HR 3584

This bill was amended and adopted by a voice vote. None of the eight amendments adopted on this bill substantially affected areas of specific interest to readers of this blog.

Moving Forward

All of these bills are apparently on Chairman McCaul’s (R,TX) agenda for moving to the floor of the House. I expect that there is a good chance that they will all make it to the floor prior to the end of the year and there is a chance that they will all arrive on the same day. With the broad bipartisan support seen in Committee I expect that they will all be considered under suspension of the rules with limited debate and not floor amendments. All of these bills should pass with substantial bipartisan support.

I do not see any of these bills as being a high priority for getting consideration in the Senate. Any of these bills could easily pass and none would have significant opposition; it is just a matter of legislative priorities about which of these might make it to the floor of the Senate.

Commentary

Not surprisingly, none of the suggestions that I have made here in this blog for improving any of these bills were included in the amendments that were adopted. Oh well, that is always the problem with being a voice crying in the wilderness; the few people that do hear you are not necessarily ones that can do anything about it.

There was that one odd amendment by Langevin on HR 3578 that kind of interests me. It does not cover control systems since this new section uses the definition of ‘information systems’ from 44 USC 3502 which interestingly only applies to Federal IT systems.

I’m not sure what Langevin was trying to accomplish with this ‘review of source code’. Okay I suppose that I could guess that he wants someone to check these IT programs for bugs, but reviewing the source code is not probably the most effective method of doing that. And the terminology ‘that underpins critical infrastructure information systems’ was obviously not written by a programmer. Now the vendor should already be conducting a source code review prior to publishing the software, so I am not sure what Langevin is expecting this to accomplish.

The real interesting thing about this amendment is not actually what it does or tries to do, but the fact that it is part of a new trend in legislation over the last month or so where there are bits of cybersecurity language being added to bills that are not overtly cybersecurity bills. In many ways this is probably a more practical way to cybersecurity provisions passed. Large, all-encompassing bills are going to always draw somebodies ire and we will see few of them actually become law. Small targeted provisions (even if poorly written like this one) in a bill that is not going to draw substantial opposition are much more likely to get passed.

The problem is, of course, how to you keep the ineffective or even offensive small cybersecurity provisions out of otherwise good legislation? Amendments like Langevin’s are not posted in advance for public review and I doubt anyone on the Committee (members or staff) are tech savvy enough to understand how ineffective this provision actually is. And once an amendment is adopted in full committee it is unlikely to get removed in the remaining portions of the legislative process.

Small cybersecurity provisions that are written into original legislation are likely to be seen by reviewers like me, but will generally be overlooked by most people. This means that only the most objectionable are likely to draw the kind of opposition that will have them removed from the bill or modified to make them more workable.

This new approach of adding small, limited cybersecurity provisions to other types of legislation is going to start to make things interesting in the legislative process.

Subcommittee Amends and Adopts HR 3490

Last week the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee of the House Homeland Security Committee amended and favorably recommended to the full Committee HR 3490, the Strengthening State and Local Cyber Crime Fighting Act. The action was taken on a voice vote, suggesting substantial bipartisan support for the bill as I suggested in my earlier post.

The sole amendment added the Federal Law Enforcement Training Center (FLETC) to the list of agencies that the National Computer Forensics Institute is supposed to work with in furthering the goals of effective cyber forensics.

Moving Forward

Again, I expect that this bill will move forward to a full Committee markup fairly quickly. It will not be this week due to the short work week in the House (effectively only two days), but I expect it before the Columbus Day recess.

Commentary

I would still like to see this bill amended to specifically mention a requirement to establish control system forensics capabilities established at the NCFI. While the ICS-CERT certainly significant expertise in this area, they are woefully understaffed and funded to investigate an ever widening number of ‘control’ systems in the internet of things that will be coming under increasing attack as awareness of the vulnerabilities in these systems becomes increasingly understood by the cyber-criminal community. Even critical infrastructure ICS cases are going to start to come under criminal investigation and I don’t believe that criminal forensics is really the purview of ICS-CERT.

HR 3490 Introduced – Cyber Forensics Institute

Last Friday Rep Ratcliffe (R,TX) introduced HR 3490, the StrengtheningState and Local Cyber Crime Fighting Act. The bill authorizes the existing National Computer Forensics Institute that is run by the United States Secret Service.

The bill would add a new section to Subtitle C of title VIII of the Homeland Security Act of 2002. Section 822 (would become 6 USC 383) would require the Institute to provide training to, and conduct information sharing with, State, local and tribal law enforcement and court officials on {new §822(b)(1)}:

∙ Cyber and electronic crimes and related threats, including threats of terrorism or acts of terrorism;

∙ Methods for investigating cyber and electronic crimes, including crimes related to threats of terrorism or acts of terrorism, and conducting computer and mobile device forensic examinations; and

∙ Prosecutorial and judicial challenges related to cyber and electronic crimes, and computer and mobile device forensic examinations.

The bill also authorizes the Institute to provide “computer equipment, hardware, software, manuals, and tools necessary to conduct cyber and electronic crimes investigations and computer and mobile device forensic examinations” {§822(d)} to State, local, tribal and territorial officials.

The bill would also requires that the Secret Service expand its network of “Electronic Crime Task Forces through the addition of task force officers of State, local, tribal, and territorial law enforcement officers, prosecutors, and judges educated and trained at the Institute, in addition to academia and private sector stakeholders” {§822(e)}.

No new funds or personnel are authorized by this bill.

Moving Forward

Ratcliffe is Chairman of the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee of the House Homeland Security Committee and is a member of the Judiciary Committee, so he is well placed to move this bill forward. In fact, it is scheduled for a markup hearing before his Subcommittee on Thursday. And it does not hurt that the Homeland Security Chair is a cosponsor of the bill.

This is essentially a housekeeping bill since it is providing formal authorization for an existing organization. As such it will certainly come to the floor under suspension of the rules and will pass with bipartisan support. It would have a good chance of making it to the floor of the Senate under their unanimous consent process.

Commentary

There is no wording in the bill that would indicate that the Institute should be looking at control system issues, but, then again, it does not specifically mention IT either. It would seem, however, that the Institute does not currently have much interest in control system issues. Their current course list does not list anything that would pertain to control system investigation tools or techniques.

Since we have not had any publicly acknowledge control system incursions in the United States that resulted in any damage or injuries, it really is not surprising that there is no law enforcement or judicial attention applied to this threat. It would be nice if language requiring such attention were added to the bill.

Bills Introduced – 09-11-15

With just the House actually in session yesterday there were only sixteen bills introduced. Two of those may be of specific interest to readers of this blog:

HR 3490 To amend the Homeland Security Act of 2002 to authorize the National Computer Forensics Institute, and for other purposes. Rep. Ratcliffe, John [R-TX-4]

HR 3503 To require an assessment of fusion center personnel needs, and for other purposes. Rep. McSally, Martha [R-AZ-2]

I doubt that HR 3490 will have any specific language for control system forensics, but you never can tell.

With McSally’s interest in emergency response there may be specific language in HR 3503 pertaining to the incorporation of emergency response planners in fusion centers, but I’m not going to hold my breath.